\section{Contributions}

In this section, we describe the theoretical and practical
contributions of this work.

\subsection{Theoretical}

A thorough examination of the protocol by Zhou et al. \cite{Zhou:2005:APS:1085126.1085127}
reveals many limitations that were not properly addressed in the original paper.

\subsubsection{Exponential Share Expansion} The original work observed that
the number of shares each server is required to maintain increases exponentially
as a temporal function of the share refreshing round. That is, each server generates
${{n}\choose{k}}$ subshares for each original subshare. Zhou et al. suggested that
$n$ sharing of the original secret be created to avoid this expansion. However, this
approach necessarily implies that the mobile adversary only accesses the current
sharing for the round, rather than the other $n-1$ sharings. If this assumption is
violated, the adversary can trivially recover the original secret by corrupting only
a single server.

\subsubsection{Multiple Initial Sharings}
We further observed that the original paper\cite{Zhou:2005:APS:1085126.1085127} 
suggested the use of several multiple initial sharings of the same secret by the dealer. 
Hence requiring the use of a coordinator among the servers to select which version 
of the shares to use in share refreshing. The authors claim that this would help 
in mitigating the exponential blowup of the number of subshares that has to be
communicated and stored at each server.

But we feel that this is counter intuitive. This is because this requires each 
of the server to store to the above sets of initial sharings by the dealer. 
This makes the attackers life much easier where it has more chances of 
collecting the share sets required, and would drastically increase the probability 
of success of the attacker.

\subsubsection{Private Keys} The original work assumes that a mobile adversary
will not store the private key of corrupted servers. The adversary is allowed to use
the private key while corrupting the server, but once the server recovers, the adversary
is assume to lose knowledge of the private key. This is a very strong assumption to
make, and is only addressed in a footnote in the original paper.

\subsection{Practical}

As proposed for our baseline contributions, we have
given an implementation of the following:

\begin{enumerate}
\item Verifiable Secret Sharing Scheme
\item Subsharing Generation
\item Share Reconstruction
\end{enumerate}

Our implementation was written in Java, with code
solely written by the authors. We describe our implementation
in Section \ref{impl}, and the subsequent experiments
in Section \ref{exp}.
